Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
Online
ISSN
2299-0984
See all formats and pricing
More options …

Wiretapping End-to-End Encrypted VoIP Calls: Real-World Attacks on ZRTP

Dominik Schürmann / Fabian Kabus / Gregor Hildermeier / Lars Wolf
Published Online: 2017-07-06 | DOI: https://doi.org/10.1515/popets-2017-0025

Abstract

Voice calls are still one of the most common use cases for smartphones. Often, sensitive personal information but also confidential business information is shared. End-to-end security is required to protect against wiretapping of voice calls. For such real-time communication, the ZRTP key-agreement protocol has been proposed. By verbally comparing a small number of on-screen characters or words, called Short Authentication Strings, the participants can be sure that no one is wiretapping the call. Since 2011, ZRTP is an IETF standard implemented in several VoIP clients.

In this paper, we analyzed attacks on real-world VoIP systems, in particular those implementing the ZRTP standard. We evaluate the protocol compliance, error handling, and user interfaces of the most common ZRTP-capable VoIP clients. Our extensive analysis uncovered a critical vulnerability that allows wiretapping even though Short Authentication Strings are compared correctly. We discuss shortcomings in the clients’ error handling and design of security indicators potentially leading to insecure connections.

Keywords: ZRTP; VoIP; SIP; key exchange

References

  • [1] Devdatta Akhawe and Adrienne Porter Felt. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 257–272, Washington, D.C., 2013. USENIX.Google Scholar

  • [2] akwizgran. basic-english. https://github.com/akwizgran/basic-english. (Accessed: 10/2016).

  • [3] K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, and S. Zanella-Béguelin. Downgrade resilience in key-exchange protocols. In IEEE Symposium on Security and Privacy (SP), pages 506–525, May 2016.Google Scholar

  • [4] R. Bresciani and A. Butterfield. A formal security proof for the ZRTP protocol. In International Conference for Internet Technology and Secured Transactions (ICITST), pages 1–6, Nov 2009.Google Scholar

  • [5] Riccardo Bresciani. The ZRTP protocol analysis on the diffie-hellman mode. Computer Science Department Technical Report TCD-CS-2009-13, Trinity College Dublin, 2009.Google Scholar

  • [6] Riccardo Bresciani and Andrew Butterfield. ProVerif analysis of the ZRTP protocol. International Journal for Infonomics (IJI), 3(3), 2010.Google Scholar

  • [7] Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, and Matthew Smith. An Empirical Study of Textual Key-Fingerprint Representations. In 25th USENIX Security Symposium (USENIX Security 16), pages 193–208, Austin, TX, August 2016. USENIX.Google Scholar

  • [8] Werner Dittmann. ZRTP4PJ README. https://github.com/wernerd/ZRTP4PJ/tree/develop, 2015. (Accessed: 10/2016).

  • [9] Electronic Frontier Foundation. Secure Messaging Scorecard. https://www.eff.org/secure-messaging-scorecard, November 2014.

  • [10] Facebook. Messenger Secret Conversations. https://fbnewsroomus.files.wordpress.com/2016/07/secret_conversations_whitepaper-1.pdf, July 2016.

  • [11] Michael Farb, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan McCune, and Adrian Perrig. SafeSlinger: easy-to-use and secure public-key exchange. In Proceedings of the 19th annual international conference on Mobile computing & networking, pages 417–428. ACM, 2013.Google Scholar

  • [12] Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking Connection Security Indicators. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 1–14, Denver, CO, June 2016. USENIX.Google Scholar

  • [13] Guardianproject. Open {Secure, Source, Standards} Telephony Network (OSTN). https://dev.guardianproject.info/projects/ostn/wiki/Wiki, April 2016.

  • [14] Prateek Gupta and Vitaly Shmatikov. Security Analysis of Voice-over-IP Protocols. In 20th IEEE Computer Security Foundations Symposium (CSF 2007), pages 49–63, Venice, Italy, July 2007.Google Scholar

  • [15] Helmut Hlavacs, Wilfried Gansterer, Hannes Schabauer, Joachim, Martin Petraschek, Thomas Hoeher, and Oliver Jung. Enhancing ZRTP by using Computational Puzzles. Journal of Universal Computer Science, 14(5), 2008.Google Scholar

  • [16] IETF. SIP Working Group. https://datatracker.ietf.org/wg/sip/, July 2009.

  • [17] O. Jung, M. Petraschek, T. Hoeher, and I. Gojmerac. Using sip identity to prevent man-in-the-middle attacks on zrtp. In 2008 1st IFIP Wireless Days, pages 1–5, November 2008.Google Scholar

  • [18] Patrick Juola. Isolated-Word Confusion Metrics and the PGPfone Alphabet. In International Conference on New Methods in Natural Language Processing, 1996.Google Scholar

  • [19] Patrick Juola. Whole-word phonetic distances and the PGPfone alphabet. In Fourth International Conference on Spoken Language (ICSLP 96), volume 1, pages 98–101 vol.1, October 1996.Google Scholar

  • [20] Kamailio. Kamailio SIP-Server. https://www.kamailio.org. (Accessed: 10/2016).

  • [21] Moxie Marlinspike. Creating a low-latency calling network. https://whispersystems.org/blog/low-latency-switching/, January 2013.

  • [22] Aaron van den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew Senior, and Koray Kavukcuoglu. Wavenet: A generative model for raw audio. arXiv preprint arXiv:1609.03499, 2016.Google Scholar

  • [23] Saurabh Panjwani and Achintya Prakash. Crowdsourcing Attacks on Biometric Systems. In Symposium On Usable Privacy and Security (SOUPS 2014), pages 257–269, Menlo Park, CA, July 2014. USENIX.Google Scholar

  • [24] Martin Petraschek, Thomas Hoeher, Oliver Jung, Helmut Hlavacs, and Wilfried Gansterer. Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP. Journal of Universal Computer Science, 14(5):673–692, 2008.Google Scholar

  • [25] Pew Research Center. The Smartphone Difference. http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/, April 2015.

  • [26] PjProject. PjProject. http://pjsip.org/, 2015. (Accessed: 10/2016).

  • [27] Peter Saint-Andre. Use of ZRTP in Jingle RTP Sessions. XEP-0262, June 2011.Google Scholar

  • [28] Dominik Schürmann and Stephan Sigg. Poster: Handsfree ZRTP - A Novel Key Agreement for RTP, Protected by Voice Commitments. In Symposium On Usable Privacy and Security (SOUPS), July 2013.Google Scholar

  • [29] Joe Beda Peter Saint-Andre Robert McQueen Sean Egan Scott Ludwig and Joe Hildebrand. Jingle. XEP-0166, May 2016.Google Scholar

  • [30] Peter Saint-Andre Sean Egan Robert McQueen Scott Ludwig and Diana Cionoiu. Jingle RTP Sessions. XEP-0167, July 2016.Google Scholar

  • [31] Maliheh Shirvanian and Nitesh Saxena. Wiretapping via Mimicry: Short Voice Imitation Man-in-the-Middle Attacks on Crypto Phones. In Proc. of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 14), pages 868–879, New York, NY, USA, 2014. ACM.Google Scholar

  • [32] Maliheh Shirvanian and Nitesh Saxena. On the security and usability of crypto phones. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 21–30, New York, NY, USA, 2015. ACM.Google Scholar

  • [33] Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying wolf: An empirical study of ssl warning effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pages 399–416, Berkeley, CA, USA, 2009. USENIX.Google Scholar

  • [34] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith. SoK: Secure Messaging. In IEEE Symposium on Security and Privacy, pages 232–249, May 2015.Google Scholar

  • [35] WhatsApp. WhatsApp Encryption Overview. https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf, April 2016.

  • [36] Wikipedia. Commitment scheme. http://en.wikipedia.org/wiki/Commitment_scheme. (Accessed: 10/2016).

  • [37] P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189 (Informational), April 2011.Google Scholar

About the article

Received: 2016-11-30

Revised: 2017-03-15

Accepted: 2017-03-16

Published Online: 2017-07-06

Published in Print: 2017-07-01


Citation Information: Proceedings on Privacy Enhancing Technologies, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2017-0025.

Export Citation

© 2017 Dominik Schürmann et al., published by De Gruyter Open. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in